TWI718291B - Service provision system, service provision method, and computer program - Google Patents

Abstract

The subject of the present invention is to realize a system that blacklists information with the possibility of improper access as a database, and can efficiently detect the same improper access.

The solution of the present invention is a service providing system that provides a predetermined service to users. It is characterized by having a server section for providing services, and an authentication server section for judging whether it is a legitimate user; the server section includes the The user’s information is provided to the authentication server. For users who are judged to be legitimate users, the service provision means perform service provision, and the information about the user’s actions on the server is sent to an external comparison device The authentication server part includes a means for judging whether the user is a legitimate user based on the user’s information, and a means for receiving an indicator from the comparison device that the user is not a legitimate user.

Description

Service provision system, service provision method, and computer program

The present invention relates to a service providing system ‧ providing method for providing a predetermined service to users. Also, regarding the verification device and verification method used by the service providing system for user authentication. Furthermore, computer programs related to these devices.

Previously, there have been known web sites (service providing systems) that provide various services to users on networks such as the Internet.

Users who want to use the Web site can use the assigned ID and password to access and log in to the Web site, and use the Web site to receive the desired service.

For example, a user who uses the Web site of a shopping mall can log in to the Web site with an ID and a password, move to each page provided by the Web site, and execute the purchase of the product on the page where the desired product is found.

In the previous Web sites, in order to allow only legitimate users to use it, most of them used IDs and passwords. By using the ID and password, so-called malicious intruders can be eliminated, and smooth services can be sought use.

<Malicious Access>

However, in recent years, there have been reports of incidents in which malicious third parties used improper means to obtain the ID and password of others. Such a malicious third party uses the ID and password of another person (legitimate user) to log in to the Web site using only their ID and password. It is difficult to distinguish whether the login person is a legitimate user or a malicious third party. Three of them.

Therefore, in recent years, there has been known a database structure that records the actions performed by a legitimate user after logging in as a whitelist. Here, as the information of the recorded action, for example, the following information is preferable.

‧OS

‧Browser

‧Language

‧IP address (representing the geographic location of the user performing the access)

‧Time (the time of access)

Recording such information and constructing a database as a so-called white list can detect the status of the logged-in user performing different actions than usual. In this way, for users who perform actions different from usual, it is better to perform additional authentication in order to confirm that they are not malicious third parties. For example, for the user’s mobile phone or smart phone, send "Someone is using your ID to access the following Web site. The access is yours Did it by itself? If not, please press (touch) the NO button. "When the "NO button" is pressed (touch), it is judged that it is not a legitimate user, but a malicious third party accessing it. Then, the process of cutting off the user's access can be executed immediately.

For example, the situation of accessing from a place (IP address) different from usual, the situation of accessing from a computer (OS, browser) different from usual, etc. can be mentioned. In this situation, perform additional authentication to confirm whether the user is a legitimate user (also called identity verification).

In addition, most of the white list is constructed based on dozens of accesses made by the legitimate user in the past, but it is also based on fewer times (several times) or more times (hundreds of times). . Furthermore, there are also situations in which the white list is replaced and updated with new information every time a legitimate user accesses it.

Previous patent documents

For example, Patent Document 1 described later discloses a device that uses a white list and a black list to retrieve content information. The same document also records that privacy is protected by using two lists.

For another example, Patent Document 2 described later discloses an access control system that uses whitelists and blacklists to control access to Web sites.

[Prior Technical Literature] [Patent Literature]

[Patent Document 1] JP 2012-159939 A

[Patent Document 2] JP 2011-3132 A

In this way, in the previous Web site, as a white list, information about the access actions of legitimate users is recorded, and users who perform actions that are significantly different from the white list are appropriately additionally authenticated.

However, malicious third parties will of course cleverly disguise the legitimate users themselves, so in general there are situations that are difficult to see through. Therefore, most of the responses are based on the rule of thumb of the security incumbents. For example, the withdrawal of deposits with the full withdrawal limit of the self-deposit account on the Web site of a financial institution is also based on the rule of thumb that there is a high possibility of a malicious third party, and a malicious third party is found.

Furthermore, IDs and passwords often use common IDs and passwords for multiple Web sites. At this time, when a set of ID and password are incorrectly obtained by a malicious third party, the situation of continuous improper access to multiple Web sites may also be seen.

In such a situation, when an improper access to a certain Web site is detected, it is necessary to provide the information to the business of other Web sites in order to prevent the above-mentioned continuous improper access caused by the use of a common ID and password. effective.

However, this architecture has not been fully realized. For example, as information about such improper access, it has not been constructed to determine what kind of information has Effective rules. In addition, it is hard to say that the identification method of improper access is fully established in the world. Furthermore, for example, even if a certain IP address is used for improper access, the IP address is not often used for improper access.

The present invention is the inventor in view of related issues, and its purpose is to realize a system that blacklists information with the possibility of improper access as a database, and can efficiently detect the same improper access. Furthermore, it is also the object of the present invention to provide related devices, methods, and computer programs for realizing the system.

(1) In order to solve the aforementioned problems, the present invention provides a service providing system, which is a service providing system that provides a predetermined service to a user, characterized by: having: a server section that provides a predetermined service to the aforementioned user; and an authentication server The server section determines whether the user is a legitimate user; the server section includes: a service providing means, which provides the user’s information to the authentication server section, and determines whether the authentication server section is The aforementioned user of the legitimate user performs the provision of the aforementioned predetermined service; and the sending means is to send the information of the aforementioned user’s actions on the aforementioned server unit to an external comparison device; the aforementioned authentication server unit includes : Judging means is to receive the information of the aforementioned user from the aforementioned server unit to determine whether the aforementioned user is a legitimate user; and the receiving means is to receive from the aforementioned external comparison device that the aforementioned user is not a legitimate user Indicators; and can obtain indicators that the aforementioned user is not a legitimate user.

(2) In addition, the present invention provides a service providing system. In the service providing system described in (1), the authentication server section further includes: a confirmation instruction means based on the indicator received by the receiving means, When the probability of judging that the aforementioned user is not a legitimate user is greater than the predetermined threshold, the aforementioned server unit issues an instruction for the aforementioned user to perform confirmation processing to confirm whether the aforementioned user is a legitimate user; The service providing means is to execute the confirmation process for the aforementioned user upon receiving an instruction to execute the aforementioned confirmation process.

(3) In addition, the present invention provides a service provision system. In the service provision system described in (1) or (2), when the aforementioned service provision means determines that the aforementioned user is not a legitimate user as a result of the aforementioned confirmation processing , The aforementioned transmitting means is to transmit to the aforementioned external collating device the intention that the aforementioned user is not a legitimate user.

(4) In order to solve the aforementioned problems, the present invention provides a comparison device, which is based on the information of the user's actions to obtain an indicator that the aforementioned user is not a legitimate user, and is characterized by including: communication means, The external service providing system receives information about the user’s actions; and the blacklist index calculation method is a blacklist database that compares and records the information on the actions of the aforementioned users judged to be not legitimate users, and the aforementioned receiving means According to the received information on the actions of the aforementioned user and the data in the aforementioned blacklist database, an indicator that the aforementioned user is not a legitimate user is calculated and sent based on the degree of similarity.

(5) In addition, the present invention provides a comparison device. In the comparison device described in (4), the aforementioned communication means uses the aforementioned The indicator that the user is not a legitimate user is sent to the outside.

(6) In addition, the present invention provides a comparison device. In the comparison device described in (4) or (5), the aforementioned index of not being a legitimate user is the probability of not being a legitimate user.

(7) In addition, the present invention provides a comparison device. The comparison device described in any one of (4) to (6) further includes: a whitelist database, which records the information of the legitimate actions of the aforementioned user ; When the information of the user's actions received by the aforementioned receiving means is judged to be inconsistent with the records in the aforementioned whitelist database, the aforementioned blacklist database is to register the aforementioned received information of the aforementioned user's actions In the aforementioned blacklist database.

(8) In addition, the present invention provides a comparison device. In the comparison device described in any one of (4) to (7), when the receiving means receives the claim that the user is not a legitimate user, the aforementioned The blacklist database is the information on the actions of the aforementioned users in the aforementioned blacklist database, and a blacklist confirmation flag is erected.

(9) The present invention provides a comparison device. In the comparison device described in (8), the blacklist index calculation means compares the information of the user’s actions received by the receiving means with those in the blacklist When the aforementioned black list confirmation flag in the aforementioned blacklist with a high degree of similarity is erected, the aforementioned flag that the aforementioned user is not a legitimate user is calculated to be higher and sent.

(10) In order to solve the aforementioned problems, the present invention provides a service provision method that uses a server that provides a predetermined service to users. The server part, and the service providing system of the authentication server for judging whether the aforementioned user is a legitimate user, the service providing method for the aforementioned user to provide a predetermined service includes: a service provision step, the aforementioned server part will The user’s information is provided to the aforementioned authentication server unit, and the aforementioned user who is judged by the aforementioned authentication server unit to be a legitimate user is provided with the aforementioned predetermined service; the sending step is that the aforementioned server unit sends the aforementioned user to the aforementioned user The operation information of the server unit is sent to an external comparison device; the determining step is that the authentication server unit receives the information of the user from the server unit, and determines whether the user is a legitimate user; and the receiving step , The authentication server section receives an indicator that the user is not a legitimate user from the external verification device.

(11) In order to solve the aforementioned problem, the present invention provides a comparison method, which is based on the information of the user's actions, and obtains the index that the aforementioned user is not a legitimate user. The method is characterized by including: a communication step, receiving The information of the aforementioned user's actions; the step of recording the information of the aforementioned user's actions that are judged not to be legitimate users in the blacklist database; and the step of calculating the blacklist index, which compares the steps received in the aforementioned communication step According to the similarity between the information of the aforementioned user’s actions and the data in the aforementioned blacklist database, an indicator that the aforementioned user is not a legitimate user is calculated and sent.

(12) In order to solve the aforementioned problems, the present invention provides a computer program that makes the computer serve as a service providing system with a server part that provides a predetermined service to the user and an authentication server that determines whether the aforementioned user is a legitimate user The computer program of action is characterized by The computer executes the following procedures: the service provider is used as the server section to provide the user’s information to the authentication server section, and for the user who is judged to be a legitimate user by the authentication server section, execute The provision of the aforementioned predetermined service; the sending procedure is used as the aforementioned server unit to send information about the actions of the aforementioned user on the aforementioned server unit to an external comparison device; the judgment procedure is used as the aforementioned authentication server unit from the aforementioned The server unit receives the information of the aforementioned user and determines whether the aforementioned user is a legitimate user; and the receiving process is used as the aforementioned authentication server unit to receive from the aforementioned external comparison device that the aforementioned user is not a legitimate user index.

(13) In order to solve the aforementioned problems, the present invention provides a computer program that uses a computer as information based on the user's actions to obtain a reference device that indicates that the user is not a legitimate user. Its characteristics are In order for the aforementioned computer to execute the following procedures: the communication procedure is to receive information on the actions of the aforementioned users; the procedure to record the information on the actions of the aforementioned users who are judged not to be legitimate users in the blacklist database; and The list index calculation procedure is to compare the information of the aforementioned user’s actions received in the aforementioned communication procedure with the data in the aforementioned blacklist database, and calculate and send the information that the aforementioned user is not a legitimate user based on the degree of similarity. index.

In this way, according to the present invention, a blacklist database is constructed, and based on this, indicators that are not legitimate users are provided, so it can be more efficient It detects access by a user who is judged not to be a legitimate user.

10‧‧‧Web site

12‧‧‧Top page

14‧‧‧Login page

16‧‧‧Product page

18‧‧‧Company Profile Webpage

20‧‧‧Member Information Page

22‧‧‧Purchase page

24‧‧‧Remittance‧Points exchange webpage

30‧‧‧User

32‧‧‧Proprietor System

32a‧‧‧Web server

32b‧‧‧Authentication Server

34‧‧‧Comparison server

34a‧‧‧Means of communication

34b‧‧‧Whitelist database

34c‧‧‧Blacklist database

34d‧‧‧Probability calculation method

40‧‧‧Browser information sending

42‧‧‧Browser information sending

44‧‧‧ID‧Password sending

46‧‧‧Hashing ID‧Password sending

48‧‧‧Disguise Probability Transmission

50‧‧‧Login allowed sending

52‧‧‧Send of web page migration

54‧‧‧Send of web page migration information

56‧‧‧Disguise Probability Transmission

58‧‧‧Additional certification

60‧‧‧Improper confirmation

62‧‧‧Improper confirmation

64‧‧‧Forced logout

BLDB‧‧‧Blacklist Database

WLDB‧‧‧Whitelist Database

[FIG. 1] An explanatory diagram for explaining the outline of the structure of a Web site 10 related to this embodiment.

[Figure 2] An explanatory diagram showing a record example of the white list database and a record example of the black list database related to this embodiment.

[FIG. 3] A diagram showing the overall structure of the processing flow when the service provided by the Web site 10 of the present embodiment is performed.

[FIG. 4] The block diagram of the control server 34.

[Fig. 5] A sequence diagram showing the overall operation flow of the system related to this embodiment.

[FIG. 6] A flowchart showing the operation of the collation server 34.

[FIG. 7] A flowchart showing the operation of the collation server 34.

Hereinafter, the preferred embodiment of the present invention will be explained based on the drawings.

1. Basic idea

FIG. 1 is an explanatory diagram illustrating the outline of the structure of a Web site for providing a predetermined service (such as a shopping mall) through a network such as the Internet. The same map is a type of map called a so-called site map.

Hereinafter, the Web site 10 shown in FIG. 1 will be described as a person who constitutes a shopping mall, for example. The Web site 10 first has a Top page 12, from which a link is pasted, and can be moved to a login page 14, a product page 16, and a company profile page 18. In the login page 14, the user uses his ID and password to log in, and then moves to the member information page 20, purchase page 22, remittance and point exchange page 24.

In such a Web site 10, the user performs, for example, actions described later.

(1) User actions and whitelist and blacklist

A user who wants to use the shopping mall first accesses the Top page 12, and then moves to the product page 16 to view the product to be purchased. The user who has decided on the product to be purchased, moves to the login page 14 and enters the ID and password to log in.

After that, the user moves to the purchase page 22 and executes the product purchase procedure. After the user purchases the goods, he moves to the remittance and point exchange page 24, confirms the points accumulated so far, and the goods that can be exchanged with the points, logs out, and ends the use of the Web site 10.

In this embodiment, when a user performs such an action, the Web site 10 records the user's action and builds a whitelist database. As the logged user's actions, in addition to web page migration (movement between web pages), the user's IP address that can be obtained from the user's browser, the type of terminal used, and the used OS Wait. By recording these actions and building a whitelist database, it can be "user-specific Color" database.

According to this whitelist database, the actions of its users can be compared with the actions of its users so far, and it can be known whether the user is performing the same action as it has so far, or is performing what has not been done so far. Actions.

Then, when a page migration of a user in the Web site 10 detects a different action from the user so far, it is also possible to register it in a so-called blacklist database instead of a whitelist database based on this. The blacklist database is a database that records information about actions that may not be a legitimate user. As a result, it is also possible to perform corresponding processing such as additional authentication (Risk Rased Authentication) to the user. It is also possible to block access caused by a malicious third party pretending to be the user.

At this time, a malicious third party may perform access by a real person himself using a keyboard, etc., or a computer may mechanically pretend the user to perform access.

(2) Blacklist

The features in this embodiment, in addition to constructing proper user characteristics as a whitelist database, are also used as a blacklist database to database for actions that deviate from the whitelist database. In this way, through databaseization, information about improper "camouflage" actions can be saved, accumulated, and improper access caused by malicious third parties can be detected more efficiently, which can improve the performance The possibility of further exclusion.

Here, "deviation" refers to basically, its action has data that is not similar to the records registered in the existing whitelist database. In addition, not only the data is similar/not similar, but the situation where access from a specific IP address occurs more than 100 times a day can also be included in the situation as "deviation".

(3) The content of the whitelist and blacklist

Describes an example of the contents of the whitelist database and the blacklist database constructed in this embodiment. The contents of the two records are almost the same. However, in the blacklist database, as described later, each record is provided with a blacklist confirmation flag that is not available in the whitelist database. In FIG. 2 described below, the black list determination flag is omitted and is not disclosed. Regarding the blacklist confirmation flag, its actions and functions will be described in detail later.

In Fig. 2, there is shown a record example of a whitelist database that reveals information that records the actions of a legitimate user, and a blacklist data that records information that pretends to be the actions of a malicious third party of the legitimate user An explanatory diagram of a record example of the library.

As shown in the figure, the records recorded in the whitelist database (and the blacklist database) are divided into 5 categories. The first type of information is user information, mainly ID and password. The user information is the information of the user 30 that is the subject of the specific action.

The user information is recorded in both the whitelist database and the blacklist database, and both the hashed ID and hashed password are recorded. This is to make the amount of data concise and easy to perform comparison operations, etc., and to prevent individuals from being completely identified, and to reduce the possibility of personal information leakage.

The second type of information is terminal information, the information of the terminal used when the user accesses the Web site 10, and the type of terminal used and the type of OS are recorded. In addition, information related to the language used is also recorded. The third type of information is the information of the browser used by the user. The information of the browser also corresponds to the records of each terminal used. If there are plural types of browsers, the information of plural browsers will be recorded.

The fourth type of information is the user's IP address. According to the IP address, the user's location can be known. The fifth type of information system webpage migration. This information system is shown in FIG. 2, which reveals the referrer URL (Referrer URL) and the information of what kind of web pages have been viewed on the Web site 10. For example, in the example of FIG. 2, a legitimate user of the whitelist database logs in, and after confirming the purchase history on the purchase history webpage, he browses the point confirmation webpage to confirm the available points. Furthermore, a malicious third party who pretends to be a legitimate user in the blacklist database is connected to the point exchange webpage immediately after logging in, and wants to exchange points. In this way, the webpages viewed on the web site 10 are significantly different between a legitimate user and a malicious third party who pretends to be malicious, which can be known from experience.

Furthermore, the time spent on the Web site 10 is also recorded in the information of the web page migration. It is generally known that a malicious third party stays on the Web site 10 for a shorter period of time than a legitimate user. As such time information, it is further preferable to record the staying time on each web page to be viewed.

Furthermore, as a malicious third party, there are cases where it is a real person, and there are cases where it is a machine (computer) masquerading as a legitimate user. In this way, when the computer pretends to be a legitimate user, most of the time spent on the entire Web site 10 and the time spent on each page are very short, and there may also be situations where it is distinguished from a real person based on the length of stay.

In addition, there are situations where the typing speed is abnormally fast, which can be distinguished from real people.

In the example shown in Figure 2, in order to make it easier to understand, in the terminal information and browser information, it has been revealed that the actions of a legitimate user and a malicious third party are significantly different, but even in either type In the situation where the information of is greatly different, it can be judged as "deviation" from the whitelist database. In addition, various criteria may be adopted for such judgment criteria. In this way, compare the actions of the user (disguised third party) accessing the Web site 10 with the action information registered in the whitelist database, compared to the information registered in the whitelist database When it is judged as "deviation", the aforementioned information of the action will be registered in the blacklist database.

When constructing the blacklist database, if the information of the user 30's actions is compared with the information in the blacklist database, the probability of the user being disguised by a malicious third party can be efficiently judged high.

The recorded content described here is only an example, and various types of information may be recorded. In addition, the record content described here is an example of the disclosure standard, and it is also possible to use fewer types of information to form a whitelist database and a blacklist database.

2. The specific structure of this embodiment

(1) The overall structure of the system of this embodiment

FIG. 3 shows the overall structure diagram of the processing flow when the service provided by the Web site 10 of the present embodiment is performed. As shown in the figure, the provision of this service is performed using a structure including a user 30, a business system 32, and a collation server 34. These structures are connected to each other through a communication network such as the Internet, and can send and receive information or instructions, messages, and the probability of masquerading as described later.

(2) User

The user 30 is a user 30 who accesses the Web site 10 (for example, a shopping mall), and accesses the Web site 10 from a computer or a mobile terminal. Here, the computer or mobile terminal used by the user 30 is simply referred to as the "user" 30.

When the user 30 accesses the Web site 10, he uses the ID and password in the login page to try to log in. This action is disclosed in Figure 3 (1).

(3) Proprietor system

The business operator system 32 is a system that implements the Web site 10, for example, a business operator operating a shopping center. The provider system 32 is composed of a Web server 32a and an authentication server 32b.

The provider system 32 corresponds to an ideal example of a service providing system in the scope of the patent application.

(3-1) Web server

The web server 32a is a web server that provides the web site 10. In the Web site 10, the action is described in, for example, HTML (Hyper Text Markup Language). The web server 32a corresponds to an ideal example of a server unit in the scope of the patent application.

The Web server 32a of the present embodiment has two types of functions (means) that are roughly distinguished. Each function is realized by a program that describes these functions and the CPU (or processor) of the Web server 32a that executes the program.

Service provision function

First, the Web server 32a has a service providing function for providing the service of a Web site to the user 30. This function is to provide a function of a normal Web site, and is realized by executing a Web server program by the CPU of the Web server 32a. The specific structure and function of the Web site 10 may be described in HTML, for example. In addition, the service providing function also includes a function of sending the ID and password entered by the user 30 to the authentication server 32b (shown as (2) in FIG. 3).

In addition, when the service providing function performs additional authentication processing for the user 30, it instructs the sending function described below to send the result.

The service provision function is equivalent to an ideal example of the service provision method in the scope of the patent application.

Send function

In addition, the Web server 32a of the present embodiment has a transmission function of transmitting information about actions performed by the user 30 on the Web site 10 to the external collation server 34. The sending action caused by the sending function is shown in Figure 3 (3).

The sending function is preferably realized by describing a predetermined program in the aforementioned HTML that describes the structure and functions of the Web site 10, for example. For another example, it is also preferable to embed JavaScript (registered trademark) describing the function of sending in the HTML file to realize the sending function.

In addition, when the sending function is instructed to perform the sending of the result of the additional authentication from the service providing function, it sends the result of the additional authentication to the external collation server 34. In particular, when the service providing function determines that the user 30 is not a legitimate user after confirming the result of the processing, the collation server 34 sends the fact that the user is not a legitimate user.

This transmission function is equivalent to an ideal example of the transmission method in the scope of the patent application.

In this way, the Web server 32a has a service provision function (service provision means) for providing services to the user 30 and processing related to user authentication, and a sending function (transmission means) for sending predetermined information and messages to the comparison server 34 .

Therefore, the external comparison server 34 can construct a whitelist database and a blacklist database based on the action information of the user 30 sent by the Web server 32a using the sending function.

(3-2) Authentication server

The authentication server 32b determines the authentication action of the user 30 and the execution of the authentication action. The authentication server 32b is equivalent to an ideal example of the authentication server in the scope of the patent application.

The authentication server 32b of the present embodiment has roughly three types of functions (means). Each function is realized by a program that describes these functions and the CPU (or processor) of the authentication server 32b that executes the program.

Judgment function

First, the authentication server 32b is equipped with the ID and password of the user 30 sent from the Web server 32a to determine whether the user 30 is a legitimate user, and sends back the judgment result (authentication result) to the Web server. Function of the device 32a (judgment means). This action is represented by (6) in FIG. 3. The judgment function is composed of a program that executes the judgment process and the CPU (or processor) of the authentication server 32b that executes the program. Then, the Web server 32a recognizes the login of the user 30 or executes actions such as rejection based on the authentication result of the authentication server 32b.

This judging function is equivalent to an ideal example of the judging method for the scope of the patent application.

Furthermore, the judgment function of the authentication server 32b includes a function of hashing the aforementioned ID received from the web server 32a, and sending the hashed ID to the external collation server 34. This action is shown as (4) in FIG. 3. As a result, the comparison server 34 is based on the ID and compares it with the slave Web server. The user's action information provided by the device 32a constructs a whitelist database that records the information of the legitimate user's actions.

Receiving function

In addition, the authentication server 32b is equipped with an external comparison server 34, which appropriately receives information based on the user's actions and the probability of masquerading by a malicious third party (referred to as "masquerading probability"). Features. The receiving action is shown as (5) in FIG. 3. The receiving function is implemented by a communication interface for communicating with the comparison server 34, a program for controlling the communication interface, and a PCU (or processor) of the authentication server 32b that executes the program.

Here, the "probability of disguise" means the probability that the user 30 is not a legitimate user, that is, a malicious third party pretending to be a legitimate user, and a machine (computer, robot, etc.) pretending to be a legitimate user. Etc.).

In addition, in the present embodiment, "probability" is used, but it can be used in the same way as long as it is an index indicating probability. For example, instead of probabilities (a real number from 0 to 1), a value from 0 to 255 may be used to reveal the degree of an unjust user. In addition, it is also possible to use indexes indicating the degree of unjustified users with "large", "medium" and "small". In addition, any index may be used as long as it is an index indicating the degree to which the user is not a legitimate user.

Confirm instruction function

The authentication server 32b is based on the masquerading probability received by the receiving function, It is determined whether the user 30 needs additional authentication. Then, when it is determined that additional authentication is necessary, the authentication server 32b has a confirmation instruction function of sending an instruction for additional authentication to the Web server 32a. The instruction of this additional authentication is shown as (7) in FIG. 3. The confirmation instruction function is also composed of a program that compares the masquerading probability with a predetermined threshold, and determines whether additional authentication is required, and the CPU that executes the program.

In addition, the confirmation instruction function corresponds to an ideal example of the confirmation instruction means of the scope of the patent application. Then, the instruction of additional authentication corresponds to an ideal example of the instruction to execute the confirmation process of the patent application.

The service providing function of the Web server 32a executes additional authentication for the user 30 when receiving an instruction for additional authentication. Various methods can be used for additional authentication. To the mobile terminal of the legitimate user 30, send "Someone is using your ID to access the Web site 10. If the access is not performed by you, please press (or touch) the inappropriate button", etc.地信息。 Ground message. When an improper button is pressed (or touched), it can be determined that the website 10 is currently being accessed by a malicious third party, and the access can be cut off.

(3-3) Control server

The collation server 34 constructs a whitelist database by receiving and recording information on the actions of the user 30 sent from the Web server 32a. In the present embodiment, when the information characteristic of the actions of the user 30 is not similar to the record in the whitelist database (when there is no similar record), the possibility of disguise caused by a malicious third party is judged. Log the information of the action Recorded in the blacklist database.

The control server 34 uses these whitelist databases and blacklist databases, and calculates that the user 30 is not legitimate based on the action information of the user 30 sent from the Web server 32a ((3) in Fig. 3) The probability of the user is sent to the authentication server 32b (disclosed by (5) in FIG. 3). The comparison server 34 is equivalent to an ideal example of a comparison device in the scope of the patent application.

(3-3a) The structure of the control server 34

The block diagram of the control server 34 is shown in FIG. 4. The comparison server 34 has a communication means 34a, a whitelist database 34b, a blacklist database 34c, and a probability calculation means 34d.

Means of communication

The communication means 34a is a means for sending and receiving information and instructions to and from the business system 32. Via a communication network such as the Internet, as shown in FIG. 3, it receives the actions of the user 30 sent from the Web server 32a. The information ((3) of Fig. 3) provides the received information for the other means in Fig. 4, the whitelist database 34b, the blacklist database 34c, and the probability calculation means 34d.

The communication means 34a is equivalent to an ideal example of the communication means in the scope of the patent application.

In addition, the communication means 34a sends the masquerading probability calculated by the probability calculation means 34d to the authentication server 32b ((5) of FIG. 3). Advance The communication means 34a receives the result of additional authentication for the user 30 from the authentication server 32b ((4) in FIG. 3).

Furthermore, the communication means 34a is composed of a communication interface with a communication network and a predetermined communication program executed by the CPU in the comparison server 34. The CPU uses the control communication interface to implement the communication means 34a by executing the communication program.

Whitelist database

The whitelist database 34b is a database that records the information of the actions of the legitimate user 30, for example, based on the access of the legitimate user 30 from 1 to 1000 times, the information of the actions of 1 to 1000 is recorded ( Records). Specifically, the whitelist database 34b is a program that records information about the actions of the user 30 received by the communication means 34a in the memory means by a memory means such as a hard disk, and executes the program (compared to the program in the server 34). ) Consists of CPU and so on. As a result, in the white list database 34b, various information about the actions of the legitimate user 30 as shown in FIG. 2 is gradually recorded. This record corresponds to each user 30, and memorizes information (records) with access levels ranging from 1 to 1000. For example, 10 to 30 records per person is better. In this embodiment, an example of memorizing the latest 20 records per person is explained, but several records may be used. The so-called record, in principle, the information of a series of actions from the user 30 starting to access the Web site 10 to logging out, as illustrated in Fig. 2, also includes the information of the used browser, etc. data. However, as a record, each action of the user 30 may be recorded. Records in the blacklist database 34c Recording is also the same concept.

The whitelist database 34b compares the action information of the user 30 with the existing information of the matching user 30 in the whitelist database 34b, and judges it as "does not match the action of the user 30" based on the fact that the two are not similar. ", send it to the blacklist database 34c, and memorize it in the blacklist database 34c. This judgment is also executed by the aforementioned program. Furthermore, the judgment of approximation/non-approximation does not necessarily need to be compared by a series of operations from the start of the access to the end of the access. In other words, only a part of the information is used for comparison, and approximate/non-approximate judgments can be made. That is, it may be determined in real time during the access of the user 30.

Blacklist database

The blacklist database 34c is the information about the actions of the user 30 sent from the Web server 32a. It is not similar to the record in the whitelist database 34b. It is the data that records the information of the action when the so-called "deviation" information is used. Library.

Specifically, the blacklist database 34c is determined by the memory means of the hard disk or the like to judge the whitelist database 34b (program) as not similar to the records in the whitelist database 34b, and send it to the blacklist database 34c The information of the operation is recorded in the program of the memory means of the aforementioned hard disk, etc., and it is constituted by the CPU that executes the program (in the control server 34).

As described above, the whitelist database 34b of the collating server 34 records information on the actions of the legitimate user 30. The whitelist database 34b compares the actions of the user 30 sent from the Web server 32a. When it is judged that the information of the action is not similar or deviating from the information in the whitelist database 34b, the information of the action is sent to the blacklist database 34c. The blacklist database 34c is a database that stores the information of the action to be sent.

In this way, the blacklist database 34c is the same as the whitelist database 34b, and is a database for recording information about the actions of the user 30, so the memory items are almost the same as the whitelist database 34b, as illustrated in FIG. 2. However, in the blacklist database 34c, each record is provided with a unique flag "Blacklist Confirmation Flag" which is not available in the whitelist database 34b. This flag is a flag that becomes "1" when it is determined that the information of each action is not the information of the action caused by the proper user 30.

Here, the blacklist confirmation flag becomes "1", which is equivalent to an ideal example of the blacklist confirmation flag erected in the scope of the patent application.

In the blacklist database 34c, when the information of an action "deviation" from the information of the action in the whitelist database 34b is newly recorded, the blacklist determination flag of the information of the action is "0". The black list confirmation flag being "0" is an example of the state where the black list confirmation flag is not upright.

After that, by the additional authentication processing performed by the Web server 32a, when the information of the action is determined not to be the action caused by the proper user 30, the black list confirmation flag of the record of the information of the action is set to "1" ( The black list confirms that the flag is erected). Actions such as setting the black order confirmation flag to "1" are also executed by the aforementioned program. In addition, the value of the black order confirmation flag is used for the probability calculation performed by the probability calculation means 34d.

Probability calculation method

The probability calculation means 34d is based on the action information of the user 30 sent from the Web server 32a, calculates the probability that the action information is not caused by a proper user, that is, the masquerading probability, and sends it to the authentication server 32b (equivalent to (5) in Figure 3).

The probability calculation means 34d is composed of a program describing the calculation actions performed by the probability calculation means 34d, and the CPU of the collation server 34 that executes the program.

Moreover, the probability calculation means 34d is equivalent to an ideal example of the blacklist index calculation means in the scope of the patent application. In addition, the probability of disguise corresponds to an ideal example of the "indicator of not a legitimate user" in the scope of the patent application.

In the present embodiment, the probability called the masquerading probability is calculated. However, as long as it is an index indicating the degree of a user who is not a legitimate user, the index may be simply "high" and "low". In addition, the probability is represented by an integer from 0 to 10, and it may be represented by 11 stages. These are also an ideal example of the scope of patent application.

The probability calculation means 34d firstly, based on whether the action information of the user 30 sent from the Web server 32a is similar to the record recorded in the blacklist database 34c, and calculates the probability of masquerading according to the degree of similarity. The higher the degree of approximation, the higher the probability of camouflage, and the lower the degree of approximation, the lower the probability of camouflage is calculated. In this way, in accordance with the degree of approximation to the approximate record, a mathematical method for calculating the probability of conforming to the record, various methods are previously known, so it is sufficient to use this calculation method appropriately. To put it simply, as the points, calculate the cumulative composition record (Information of the action) The sum of the squared values of the difference of various elements. The smaller the value of the relevant point, the higher the probability (closer to 1). The probability can also be calculated.

In addition, the judgment of whether it is similar or not may be executed every time the information of the action is sent. That is, the comparison may be a comparison of only a part of the elements. For example, even if the webpage is migrated twice, it can be compared with the record in the blacklist database 34c (the condition where the webpage is migrated multiple times). As a result, for the actions of the user 30, the probability of masquerading can be calculated in real time.

Also, if the blacklist confirmation flag of the record (group) in the blacklist database 34c that is judged to be the most similar to the action information of the user 30 sent from the Web server 32a is "1", even if it is the same The degree of approximation is better than the situation where the camouflage determination flag is "0". It is better to calculate the calculated camouflage probability correction to be higher. This is because when it is similar to the record determined by the determination of the information of the actions of the unjust user 30, it can be considered that the probability of the unjust user 30 is high.

The probability calculation means 34d of the present embodiment is to calculate the fake probability of the user 30 based on the information in the blacklist database 34c in this way.

Furthermore, when there is no record similar to the information of the user 30's actions in the blacklist database 34c, in principle, a low-value masquerading probability is calculated and sent. Furthermore, when there is no record in the blacklist database 34c that is similar to the information of the user 30's actions, the information is compared with the records in the whitelist database 34b, based on the presence or absence of similar records and the degree of similarity, It is also possible to calculate the probability of camouflage. At this time, if a record similar to the information of the action exists in the whitelist database 34b, the probability of the user 30 not being a legitimate user (the probability of masquerading) is corrected and calculated to be low. On the other hand, when a record similar to the information of the action does not exist in the whitelist database 34b, the masquerading probability may be corrected and calculated to be higher. At this time, the information of the action, which is the calculation target of the masquerading probability, will be newly registered in the blacklist database 34c.

3. Action

Next, the operation flow of the system of this embodiment will be explained based on the drawings.

FIG. 5 shows a sequence diagram of the overall operation flow of the system related to this embodiment. Furthermore, in the timing chart of FIG. 5, it is assumed that time passes from top to bottom.

First, the user 30 accesses the Web site 10. Then, the information of the browser used by the user 30 to access is sent to the Web server 32 a that provides the Web site 10. This action is shown in FIG. 5 as sending 40 of browser information.

Then, the Web server 32a in the provider system 32 receives the sent browser information and sends it to the comparison server 34. This action is disclosed in FIG. 5 as sending 42 of browser information. In the comparison server 34, the communication means 34a receives the browser information, and sends the browser information to other structures such as the whitelist database 34b.

Next, the user 30 is transferred to the login page 14 and enters ID and password. This system is shown in Figure 5 as ID‧Password sending 44. Then, the Web server 32a receives the sent ID‧ password, and sends it to the authentication server 32b for authentication ((2) in FIG. 3). The authentication server 32b uses the ID and password to authenticate the user 30, and hashes them, and sends the hashed ID and the hashed password to the collation server 34.

This sending action is shown in Fig. 5 as sending 46 of the hashed ID‧ password. In the comparison server 34, the communication means 34a receives the hashed ID‧ password information, and sends the hashed ID‧ password to other structures such as the whitelist database 34b. In this way, the hashed ID‧ password can be recorded in the whitelist database 34b, blacklist database 34c, etc.

In the present embodiment, the transmission of the hashed ID and the hashed password 46 (refer to FIG. 5) is executed by the authentication server 32b, but the Web server 32a may also execute it.

The comparison server 34 obtains the "masquerading probability" that the user 30 is not a legitimate user based on the sent hashed ID and password, and browser information, and sends it to the authentication server 32b of the business system 32 . The calculation of the masquerading probability is performed by the probability calculation means 34d, and the transmission of the masquerading probability is performed by the communication means 34a. This transmission is shown in Figure 5 with a transmission 48 with a masquerading probability.

The authentication server 32b receives the sent masquerading probability. Then, based on the masquerading probability, it is determined whether to perform additional authentication for the user 30. If the authentication server 32b does not decide to perform additional authentication, it will The status that the certificate has been successfully completed is sent to the Web server 32a ((6) in FIG. 3). The web server 32a that has been notified that the authentication has been successful sends a message allowing the user to log in. This is shown in Figure 5 with a login permission 50.

Furthermore, here, the authentication server 32b performs authentication based on the unhybridized ID and password (shown as (2) in FIG. 3), assuming that the authentication of the legitimate user is successfully completed. Of course, if the authentication fails due to the ID and password, login is not allowed.

The logged-in user 30 starts to browse a desired web page in the Web site 10, and moves the browsed web page as appropriate. This is shown in Fig. 5 as webpage mobile 52. The webpage movement is sent to the web server 32a, and the user 30 can move to the desired webpage. Furthermore, the web server 32a sends the entire information including the user's actions of such webpage movement to the collation server 34. This is shown in Figure 5 as the sending 54 of web page migration information. It is described as the transmission 54 of the page migration information, but represents the information of the entire action of the user 30.

In the comparison server 34, the page migration information (information on the actions of the user 30) is appropriately recorded in the whitelist database 34b. When it is not similar to the whitelist database 34b, there is also a status appropriately recorded in the blacklist database 34c. Here, the page migration information (information on the actions of the user 30) is compared with the records in the whitelist database 34b and the blacklist database 34c to find the degree of similarity. Based on the degree of approximation, the probability that the user is not a legitimate user is calculated.

This calculation is performed by the probability calculation means 34d. About pseudo The detailed calculation operation of the installed rate, etc., will be described based on the flowchart of the next Fig. 6 (and Fig. 7). The calculated masquerading probability is sent to the authentication server 32b. This is shown in Figure 5 as a transmission 56 with a masquerading probability.

The authentication server 32b receives the sent masquerading probability, and based on the probability, determines whether additional authentication should be performed. For example, comparing the masquerading probability with a predetermined threshold value, and when the masquerading probability is relatively small, it may be judged to perform additional authentication. As a result of this determination, when the masquerading probability is less than the predetermined threshold value and it is determined that additional authentication should be performed, the authentication server 32b sends an instruction to perform additional authentication to the Web server 32a. The instructions for additional authentication are shown as (7) in FIG. 3. Furthermore, when the authentication server 32b determines that the execution of additional authentication is not to be performed, the authentication server 32b does not specifically instruct the Web server 32a (not to send).

The Web server 32a that has received the instruction of additional authentication performs additional authentication for the user 30. This operation is disclosed as additional authentication 58 in FIG. 5. Additional authentication can be performed in various ways. For example, it is good for the user 30 to make an additional inquiry that can be answered if it is the user 30. Furthermore, it is also preferable to send a predetermined mail to the mobile terminal held by the user 30, and to have the user 30 input the symbols and numbers in the mail on the Web screen. In addition, it is also preferable to send an email to the mobile terminal held by the user 30 and send a message such as "If the Web site 10 is not accessed now, please reply." In addition, various additional authentication 58 may be performed.

When this additional authentication 58 fails (the authentication process is not completed normally), the Web server 32a sends the failed additional authentication status to Authentication server 32b. This sending process is represented by an improper confirmation 60 in FIG. 5.

When the authentication server 32b receives the improper confirmation 60, it sends the same message to the collation server 34. This is shown in Figure 5 as an improper confirmation 62. In addition, the authentication server 32b sends a forced logout instruction to the Web server 32a. The logout instruction is represented by forced logout 64 in FIG. 5. When receiving the forced logout 64, the Web server 32a forcibly logs out the user 30 and disconnects.

Furthermore, here, it may be configured so as not to issue a forced logout 64 instruction. In this case, the web server 32a may be configured to spontaneously log out the user 30 even if there is no special instruction from the outside after the improper confirmation 60 is sent.

When the check server 34 receives the improper confirmation 62, it sets the blacklist determination flag of the matching record in the internal blacklist database 34c to "1" (the flag is erected).

User 30 is a legitimate user 30

Furthermore, in FIG. 5, the operation when the additional authentication 58 fails and the user 30 is confirmed as not a proper user (inappropriate confirmation 60) will be described. However, it is also possible that the user 30 is a legitimate user, who happens to use a different mobile terminal to access from a place different from usual. At this time, because the user 30 is a legitimate user, the additional authentication 58 is successful (the authentication process is completed normally), so the improper confirmation 60 and the improper confirmation 62 in FIG. 5 will not be sent. At this point, user 30 will log out soon, When the web server 32a receives the logout, it sends the logout to the collation server 34. When the comparison server 34 receives the logout, it judges that a series of actions has ended, and records the information on the actions of the user 30 so far in the whitelist database 34b, etc., as one record.

One record of the whitelist database 34b and the blacklist database 34c is, in principle, the user 30’s information about the actions of a conversation on the Web site 10, from access to execution log-in ~ browse each web page ~ log-in Information about the action until exit. However, each action of the user 30 may be processed as one record.

Above, by using the action described in the sequence diagram of FIG. 5, the record of the action information in the matching blacklist database 34c can be clearly identified as the action information of the legitimate user. In the future, the detection When the information of the action similar to the information of the recorded action is obtained, the camouflage product rate can be calculated to be higher, and it is expected that the access of an unauthorized user can be more accurately identified.

Check the action of server 34

Next, the operation of the collation server 34 will be described based on the flowchart of FIG. 7. In this flowchart, in particular, the construction of the whitelist database 34b and the blacklist database 34c, and the calculation of the masquerading probability will be mainly described. The transmission and reception of other data are shown in Figures 3 and It has already been explained in 5, so its detailed explanation is omitted.

Also, in FIG. 6, BLDB represents a blacklist database, and WLDB represents a whitelist database.

First, in step S1, the communication means 34a of the server 34 is compared to receive the information of the browser used by the user 30 for access. The received browser information is information that can become the record content of the whitelist database 34b, etc., and can be appropriately used in the whitelist database 34b, blacklist database 34c, etc. In addition, even in the probability calculation means 34d, it is used for the calculation of the degree of approximation (degree of approximation) of records in the existing database.

In step S2, the communication means 34a of the server 34 is compared to receive the hashed ID and the hashed password. The received ID and password are output to other means in the control server 34, and other means (whitelist database 34b, etc.) appropriately use the (hybridized) ID and password as needed.

In step S3, it is determined whether the received ID and password specific records and similar records exist in the blacklist database 34c. This determination is performed by the blacklist database 34c. As a result, if there is a matching record, the process proceeds to step S4, and when the matching record does not exist in the blacklist database 34c, the process proceeds to step S10 in FIG. 7.

In step S4, the probability calculation means 34d calculates the masquerading probability based on the records in the blacklist database 34c matching the received ID and password with similar data. Here, there may be one or two or more similar records. Then, calculate the probability based on the calculation criteria described below. Any calculation method can be used based on the standards described below.

‧The higher the degree of approximation (the more similar), the camouflaged machine The rate is calculated as the higher.

‧The more approximate records, the higher the probability of disguise is calculated.

‧When the black list confirmation flag of the approximate record is "1", the probability of disguise is corrected and calculated to be higher.

Use this calculation basis to calculate the probability. The probability calculation means 34d sends the calculated masquerading probability to the communication means 34a. The communication means 34a transmits the masquerading probability to the authentication server 32b of the business system 32 through a predetermined network.

In step S4, in parallel with the transmission of the masquerading probability, the blacklist database 34c records the ID and password, and new records related to the browser information.

In step S5, the communication means 34a of the server 34 is compared to receive the action information of the user 30. Here, the action information refers to the entire action information of the user 30 such as the transmission 54 of the page migration information in FIG. 5.

The communication means 34a outputs the received action information to other means in the control server 34, and other means (whitelist database 34b, etc.) appropriately use the action information as needed.

In step S6, the blacklist database 34c adds the action information to the new record made in the aforementioned step S4. In addition, the probability calculation means 34d also includes the received action information, and calculates the probability of masquerading. Then, the communication means 34a transmits the masquerading probability to the authentication server 32b.

The feature in this embodiment is that it is based on the actions of the user 30. In this way, the masquerading probability is calculated in real time and provided to the authentication server 32b. As a result, based on the actions of the user 30, the judgment material (masquerading probability) as to whether the user 30 is a legitimate user is quickly provided, so the authentication server 32b can immediately determine whether or not additional authentication should be performed. As a result, access by users who are not legitimate can be quickly blocked, and improper behavior can be prevented more reliably.

In step S7, it is determined whether the communication means 34a has received the improper confirmation (the improper confirmation 62 in FIG. 5). When the improper confirmation has been received, the process proceeds to step S9, and when it has not been received, the process proceeds to step S8.

In step S8, it is determined whether the communication means 34a has received logout. This logout represents a situation where the user 30 performs a normal operation, and cannot be determined as a legitimate user (unsure). As a result of this determination, when the logout has been received, the information on the actions of the user 30 so far is recorded as one record in the blacklist database 34c. The information of the action recorded here (1 record) is the information of the action of the user 30 on a conversation of the Web site 10, from access to execution of log-in ~ browse each web page ~ log-out. The blacklist confirmation flag of this record is set to "0". In this way, the collation server 34 ends one conversation, and waits for the user 30 to access the Web site 10 again.

On the other hand, in step S8, when the communication means 34a does not receive the logout, the access to the Web site caused by the user 30 continues. Return to step S5 again, and continue to perform the information of the user 30's actions The processing of the reception.

In step S9, the checking server 34 receives the improper confirmation 62 (refer to FIG. 5), and the communication means 34a provides the improper confirmation 62 to other means in the checking server 34. Based on the receipt of the improper confirmation 62, it is determined that the user 30 is not the legitimate user 30. Therefore, the blacklist database 34c is the information (record) of the user's actions in the blacklist database 34c, and the blacklist determination flag is set to "1". By setting the flag to "1", when the user 30 performing an action similar to the user 30's action information reappears, the probability of masquerading can be calculated to be higher.

After step S9, wait for another user 30 to access the Web site 10 again.

In step S10 of FIG. 7, it is determined whether the record of information corresponding to the action of the user 30 is recorded in the whitelist database 34b. This determination is executed by the whitelist database 34b.

As a result of the determination, when the information about the actions of the user 30 is not recorded in the whitelist database 34b, and although the information is recorded in the whitelist database 34b, but the number of records of the user 30 is less than 20, then It is judged that the accumulation of information on the actions related to the user 30 is insufficient, and the process proceeds to step S13. When the number of records is 20 or more, the process proceeds to step S11.

The white list database 34b of the present embodiment is configured to gradually record the information of the actions of the user 30, but as the record, the most recent 20 data are recorded. If the number is less than 20, the process moves to step S13 to accumulate information on the actions of the user 30.

In step S11, because it matches the record of user 30 There are 20. Therefore, the information of the actions of the user 30 is compared with the information of the actions in the whitelist database 34b to determine whether they are similar. As a result, if it is similar to any record, in order to record to the whitelist database 34b, it transfers to step S13.

In step S12, the information about the actions of the user 30 is not similar to the existing records in the whitelist database 34b, so it is judged as the so-called "off" data, and the blacklist database 34c is recorded. This processing is executed by the blacklist database 34c. When this recording is performed, the initial value of the blacklist confirmation flag is set to "0".

It is not similar to the existing records in the whitelist database 34b, which is equivalent to an example of "not conforming" to the ideal record in the whitelist database in the scope of the patent application.

In addition, when there are hundreds of accesses per day from the same IP address, it is also acceptable to add an example of "non-compliance" described here. In addition, the status of "non-conformity" in the scope of the patent application may include the status of access that is presumed to be improper.

In this embodiment, the feature is to set up a blacklist database 34c to judge improper access more efficiently. In order to construct the blacklist database 34c, the whitelist database 34b is used, and the information about the actions that deviate from the records therein is recorded in the blacklist database 34c. In this embodiment, the whitelist database 34b is mainly used, but other methods, that is, the whitelist database 34b is not used, and the information of the actions that should be registered in the blacklist database 34c may be determined. For example, when there is a situation of access caused by the same ID in a short time, it is judged as improper access It is highly likely to be registered in the blacklist database 34c.

The action after step S12 is to record in the blacklist database 34c, so the process moves to step S5 in FIG. 6. The operation after step S5 is as already explained.

On the other hand, in the processing after step S13, information on the actions of the user 30 is recorded in the white list database 34b. The recorded action is executed by the whitelist database 34b. In the present embodiment, the number of records of information (records) for the actions of a predetermined user 30 is set to 20. For example, if the information (records) of the actions of the user 30 is less than 20, the information of the actions is directly added. However, when 20 pieces of information (records) of the actions of the user 30 have been recorded, the information of the new actions is recorded, and the old records are deleted. With this kind of action, often only 20 records of the latest action information are recorded in the whitelist database 34b.

In step S14, the communication means 34a receives operation information. The communication means 34a provides the information of the action to other means in the comparison server 34.

In step S15, the whitelist database 34b gradually records the provided information of the aforementioned actions as the information of the user 30's actions in the whitelist database 34b.

Furthermore, when recording the blacklist database 34c, the masquerading probability is calculated and sent to the authentication server 32b (step S4, etc.).

However, as in step S15, when it is recorded in the whitelist database 34b, In principle, the masquerading probability of the value "0" is sent to the authentication server 32b. That is, the status recorded in the whitelist database 34b, which is the information about the actions of the user 30, is similar to the information that can be presumed to be the actions of the legitimate user 30 in the whitelist database 34b, and is regarded as the probability of masquerading. Properly assume "0".

However, as in step S15, even if it is recorded in the whitelist database 34b, the degree of similarity with the record in the existing whitelist database 34b is calculated. Therefore, the probability of masquerading may be calculated based on the degree of similarity. .

In step S16, it is determined whether the communication means 34a has received logout. The determination is performed by the communication means 34a. As a result of this determination, when the logout has been received, the information on the actions of the user 30 so far is recorded in the whitelist database 34b. Then, it waits for other users 30 to access the Web site 10.

On the other hand, in step S16, if the logout is not received, the process proceeds to step S14, and the operation of receiving information on the actions of the user 30 is continued.

As described above, according to this embodiment, the collation server 34 transmits and receives data to and from the provider system 32, and builds an internal whitelist database 34b and a blacklist database 34c. Furthermore, the comparison server 34 is its internal probability calculation means 34d, in principle, based on the blacklist database 34c, calculates the masquerading probability, and sends it to the authentication server 32b.

Also, in this embodiment, the provider system 32 has been explained If it is one, the business system 32 may be plural. In this case, the multiple operator systems 32 can share the collation server 34.

effect

With the above-mentioned operations, according to the present embodiment, not only the whitelist database 34b, but also the blacklist database 34c that records the information of the actions of the user 30 that may not be the legitimate user 30 can be constructed.

Furthermore, if the collation server 34 is shared by the plural business system 32, the blacklist database 34c can be shared. As a result, the information recorded in the blacklist database 34c as the actions of the unauthorized user 30 on the Web site 10 of a certain business operator can also be used by other businesses, which prevents malicious third parties. Improper access.

In particular, in recent years, many malicious third parties have seen cases in which a set of obtained ID and password are used to improperly access multiple Web sites 10. For such continuous improper access, the collation server 34 of this embodiment can be a useful countermeasure in particular. Furthermore, in this embodiment, not only the ID of the user 30, but also information about the actions of the user 30 are recorded to construct the blacklist database 34c and the whitelist database 34d. Therefore, it is possible to more efficiently detect Access caused by a malicious third party. In addition, since the information of the recorded action can also correspond to each action of the user 30, the probability of masquerading can be obtained in real time, and it is expected that access by a malicious third party can be detected more quickly.

4. Modifications

(1) In the above-mentioned embodiment, the probability calculation means 34d calculates the probability that the user is not a legitimate user. The probability value is a real value between 0 and 1. However, it is also ideal to use an index indicating the degree to which the user is not a legitimate user, instead of "probability." The aforementioned probability is also an ideal example of this indicator, and other indicators can also be used. For example, as such an indicator, the degree of similarity with the data in the blacklist database 34c may also be used. At this time, the higher the degree of approximation that can be estimated, the higher the degree of improper users. Therefore, this degree of approximation can also be ideally used as an index. In addition, any index may be calculated and used as long as it is an index indicating the degree of not being a proper user.

(2) In the above-mentioned embodiment, the example in which the collation server 34 is located in a place separated from the Web server 32a has been described. However, the collation server 34 may be located anywhere as long as it is accessible from the Web server 32a and the authentication server 32b, and it may be located at the same location as the Web server 32a. For example, it may be located in the provider system 32.

In addition, in the above-mentioned embodiment, an example in which the authentication server 32b is located on the same website as the Web server 32a has been described. However, the authentication server 32b may be located anywhere as long as it can be connected from the web server 32a and the collating server 34, and it may be located in a location isolated from the web server 32a. For example, it may be located outside the provider system 32.

(3) In the above-mentioned embodiment, the number of records of information (records) of actions of the same user in the whitelist database 34b, For example, it is set to 20, but it can be set to a smaller number, or more. In addition, it can also be constituted by dynamically adjusting the number of registrations according to the situation.

(4) In the above-mentioned embodiment, the collation server 34 sends the masquerading probability to the provider system 32, but sends the masquerading probability together with the blacklist database which is the most similar factor for the calculation of the masquerading probability The information in 34c can also be structured.

With such a configuration, it is possible to know what kind of improper access has been made on the side of the provider system 32, and it can also contribute to the security assurance situation. However, even for improperly accessed data, there are situations in which personal information is protected or other protected objects depending on the country. Therefore, in this situation, the provision of appropriate information should be more cautious.

(5) In the above-mentioned embodiment, when the information about the actions of the user 30 is recorded in the whitelist database 34b, "0" is sent as the pretense probability, but it should be similar to the record in the whitelist database 34b Calculate the masquerading probability, and send the masquerading probability of a value other than "0".

(6) In the above-mentioned embodiment, although there is no limit to the number of records in the blacklist database 34c, considering the calculation speed of the comparison and comparison, the number may be limited. In this case, for example, processing such as gradual deletion from the old record may be performed.

(7) In the above-mentioned embodiment, the data in the whitelist database 34b is recorded based on actual access, but it is also possible to manually pre-record typical formal data. Also, in the blacklist database 34c, Examples of improper access identified in advance by artificial memory are also acceptable.

(8) In the above-mentioned embodiment, the data in the whitelist database 34b is updated every time a new access is made, and the old data is gradually deleted. However, it is also possible to designate artificially fixed records. This is for users with low access frequency.

(9) In addition, the records of the whitelist database 34b and the blacklist database 34c may be adjusted appropriately using artificial means or other means, and it is also possible to delete records that are not very important by real persons. Various man-made operations can also be applied.

(10) In the foregoing implementation type, the hashed ID and the hashed password are recorded in the whitelist database 34b and the blacklist database 34c. However, it is also possible to use unhashed data, and use the application The encrypted ID and password can also be set.

Above, the embodiment of the present invention has been described in detail, but in the foregoing embodiment, various functions and means are realized by the program and the CPU that executes the program. Here, the various programs mentioned above are equivalent to an ideal example of a computer program in the scope of the patent application.

In addition, the embodiments of the present invention have been described in detail, but the foregoing embodiments only disclose specific examples when implementing the present invention. The technical scope of the present invention is not limited to those of the aforementioned embodiments. Various changes can be made to the present invention without departing from the scope of the spirit thereof, and these are also included in the technical scope of the present invention.

30: User

32: The business system

32a: Web server

32b: Authentication server

34: Control server

Claims (13)

A service provision system is a service provision system that provides a predetermined service to a user, and is characterized by: having: a server section, which provides the predetermined service to the aforementioned user; and an authentication server section, which judges whether the aforementioned user is legitimate The aforementioned server part includes: service provision means, which provides the aforementioned user’s information to the aforementioned authentication server part, and executes the aforementioned users who are judged to be legitimate users by the aforementioned authentication server part The provision of the predetermined service; and the sending means, which are to send the information of the user’s actions on the server section to an external comparison device; the authentication server section includes: judging means, which is received from the server section The aforementioned user information is used to determine whether the aforementioned user is a legitimate user; and the receiving means is to receive an indicator that the aforementioned user is not a legitimate user from the aforementioned external comparison device; and it can be obtained that the aforementioned user is not legitimate User indicators. For example, the service providing system described in the first item of the scope of patent application, wherein the aforementioned authentication server section further includes: a confirmation instruction means, which judges that the aforementioned user is not a legitimate user based on the aforementioned indicators received by the aforementioned receiving means The probability of a given threshold When the value is higher than the value, the server will issue an instruction for the user to perform the confirmation process to confirm whether the user is a legitimate user; the service provision means of the server will be when an instruction to perform the confirmation process is received , Perform confirmation processing for the aforementioned user. For example, in the service providing system described in item 1 or item 2 of the scope of patent application, when the foregoing service providing means is determined to be not a legitimate user as a result of the foregoing confirmation processing, the foregoing sending means is for the foregoing external In contrast to the device, it sends the message that the aforementioned user is not a legitimate user. For example, in the service providing system described in the first item of the scope of patent application, the aforementioned comparison device is a comparison device that obtains an indicator that the aforementioned user is not a legitimate user based on the information of the user's actions, and is characterized by including: The means of communication is to receive information about the user's actions from an external service providing system; and the means of calculating the blacklist index is a blacklist database that compares and records the information on the actions of the aforementioned users who are judged to be not legitimate users , The information on the actions of the user received by the receiving means and the data in the blacklist database are calculated and sent based on the degree of similarity to indicate that the user is not a legitimate user. Such as the service provision system described in item 4 of the scope of patent application, in which, The aforementioned communication means sends an indicator that the aforementioned user is not a legitimate user to the outside. For example, in the service provision system described in item 4 or item 5 of the scope of patent application, the aforementioned indicator of not being a legitimate user is the probability of not being a legitimate user. For example, the service provision system described in item 4 or item 5 of the scope of patent application, which further includes: a whitelist database, which records the information of the legitimate actions of the aforementioned users; and the information of the aforementioned users received by the aforementioned receiving means When the action information is judged to be inconsistent with the records in the whitelist database, the blacklist database is to register the received action information of the user in the blacklist database. For example, the service providing system described in item 4 or item 5 of the scope of patent application, wherein, when the aforementioned receiving means receives that the aforementioned user is not a legitimate user, the aforementioned blacklist database is in the aforementioned blacklist database For information on the aforementioned user’s actions, a black list is set up to confirm the flag. For example, the service provision system described in item 8 of the scope of patent application, wherein the aforementioned blacklist index calculation means compares the information of the aforementioned user’s actions received by the aforementioned receiving means, and is similar to the record in the aforementioned blacklist The aforementioned black list in the aforementioned blacklist confirms that the flag is vertical Immediately, the flag that the aforementioned user is not a legitimate user is calculated to be higher and sent. A service provision method that uses a service provision system that has a server section that provides a predetermined service to a user, and an authentication server that determines whether the user is a legitimate user, and a service provision method that provides the predetermined service to the user , Includes: service provision step, the server section provides the user’s information to the authentication server section, for the user who the authentication server section judges to be a legitimate user, performs the provision of the predetermined service ; The sending step is that the server section sends information about the user's actions on the server section to an external comparison device; the determining step is the authentication server section receives the user’s information from the server section , Judging whether the user is a legitimate user; and the receiving step is that the authentication server section receives an indicator that the user is not a legitimate user from the external comparison device. For example, the service provision method described in item 10 of the scope of patent application, in which, based on the information of the user's actions, the comparison device for obtaining the indicator that the aforementioned user is not a legitimate user is performed by performing the following steps: communication step, receiving The information of the aforementioned user's actions; the step of recording the information of the aforementioned user's actions that are judged not to be legitimate users in the blacklist database; and the step of calculating the blacklist index, which compares the steps received in the aforementioned communication step According to the similarity between the information of the aforementioned user’s actions and the data in the aforementioned blacklist database, an indicator that the aforementioned user is not a legitimate user is calculated and sent. A computer program that enables a computer to operate as a service providing system with a server portion that provides a predetermined service to a user, and an authentication server that determines whether the aforementioned user is a legitimate user, and is characterized by the aforementioned The computer executes the following procedures: the service provider is used as the server section to provide the user’s information to the authentication server section, and for the user who is judged to be a legitimate user by the authentication server section, execute the foregoing The provision of a predetermined service; the sending procedure is used as the aforementioned server unit to send information about the actions of the aforementioned user on the aforementioned server unit to an external comparison device; the judgment procedure is used as the aforementioned authentication server unit from the aforementioned server The server unit receives the information of the aforementioned user and determines whether the aforementioned user is a legitimate user; and the receiving process is used as the aforementioned authentication server unit to receive an indicator that the aforementioned user is not a legitimate user from the aforementioned external comparison device . For example, the computer program described in item 12 of the scope of patent application, in which the computer program operates by using the computer as the information based on the user's actions to obtain the indicator that the aforementioned user is not a legitimate user. Its characteristics are Make the aforementioned computer execute the following procedures: the communication procedure is to receive the information of the aforementioned user's actions; The process of recording the information about the actions of the aforementioned users who are judged not to be legitimate users in the blacklist database; and the blacklist index calculation process, which compares the information of the actions of the aforementioned users received in the aforementioned communication process According to the degree of similarity with the data in the aforementioned blacklist database, calculate and send an indicator that the aforementioned user is not a legitimate user.

Images